Acquisition of authentication rules for service provisioning

ABSTRACT

Described are methods, systems, and apparatus, including computer program products for providing authentication for service provisioning. One or more executable authentication rules are provided for determining access by a user to one or more services. At least a first executable authentication rule is selected from the one or more executable authentication rules. The first executable authentication rule is for determining access by the user to at least a first service from the one or more services, wherein selecting the first executable authentication rule is based on: a characteristic of the user, a characteristic of a request, a characteristic of an acquisition point, or any combination thereof. A rules credential is generated. The rules credential includes the first executable authentication rule.

RELATED APPLICATIONS

This application is a continuation application of, and claims priorityto, U.S. patent application Ser. No. 11/593,992, filed Nov. 7, 2006, thedisclosure of which is incorporated herein by reference in its entirety.

FIELD OF THE INVENTION

The present invention relates generally to computer-based methods andapparatuses, including computer program products, for acquiringauthentication rules for service provisioning.

BACKGROUND

Hackers are becoming increasingly adept at identity theft in electroniccommerce. Viruses, Trojan horses, worms, and spyware are used by hackersto install malware programs on consumers' systems to look for consumersvisiting electronic commerce sites and entering their credentials.Malware programs can collect consumers′ authentication data and othersensitive data by monitoring the keystrokes typed in by the user andsending them back to the hacker. The hacker is then able to log in tothe consumers′ accounts to damage or disrupt it (e.g., steal from it).Explicit sharing by the consumer, capture by man-in-the-middle devices,and guessing are other means used to compromise sensitive data. Thecompromises of authentication credentials expose service providers andtheir customers to the potential for financial loss and identify theft.

With respect to providing secure electronic commerce, service providersimplement rigid authentication processes for their consumers to accesstheir services. Typically, the authentication process involves acustomer identifier and a password known only to the consumer. For moresensitive electronic commerce areas, a multi-factor authenticationprocess is used involving, for example, a hard-token in addition to thetraditional username and password.

SUMMARY OF THE INVENTION

One approach to providing customizable authentication for serviceprovisioning is to enable a user to customize an authentication system.In one aspect, there is a computerized method. The method includesenabling a first user to customize an authentication system associatedwith a service type. Customizing the authentication system includesdefining one or more authentication rules for determining access for asecond user to a service for the service type.

In other examples, any of the aspects above can include one or more ofthe following features. The first user can include a consumerorganization or an organization subgroup of the consumer organization.The first and second user can include an individual consumer. The seconduser can include one or more individual consumers of the first user. Themethod can further include enabling the second user to customize theauthentication system associated with the service type. The one or moreauthentication rules comprise: a mandatory rule, an optional rule, orany combination thereof.

In addition, the method can further include receiving, from the seconduser, a request for the service at an enforcement point. The method canfurther include generating a rules credential including the one or moreauthentication rules. Generating the rules credential can be based on: acharacteristic of the second user, a characteristic of the request, acharacteristic of the enforcement point, or any combination thereof. Thecharacteristic of the second user can include an identificationcredential of the second user, an identification credential of a groupof users including the second user, or any combination thereof. Thecharacteristic of the request can include: an access-channelcharacteristic, an access-point characteristic, a device characteristic,or any combination thereof. The characteristic of the enforcement pointcan include: a time characteristic, a day characteristic, a policycharacteristic, a service type characteristic, a function typecharacteristic, or any combination thereof. The method can furtherinclude receiving, from the second user, a second request for a secondservice at a second enforcement point different from the firstenforcement point. The second request can include the rules credential.The method can further include executing, at the second enforcementpoint, at least one of the one or more authentication rules included inthe rules credential.

In various embodiments, the method can further include receiving, fromthe second user, a request for the service at an enforcement point. Themethod can further include determining if the one or more authenticationrules apply to the second user at the enforcement point. The method canfurther include executing an authentication action specified by the oneor more authentication rules when the one or more authentication rulesapply.

In some embodiments, determining if the one or more authentication rulesapplies can include determining if one or more triggers specified by theone or more authentication rules are triggered. The one or more triggerscan include: a user trigger, a request trigger, an enforcement pointtrigger, a policy trigger, or any combination thereof. The requesttrigger can include: an access-channel trigger, an access-point trigger,a device trigger, or any combination thereof. The method can furtherinclude triggering the access-channel trigger when the second userattempts to access the service using: a web message, a universalresource locator (URL) message, electronic mail, text messaging, instantmessaging, a session initiation protocol (SIP) message, a short messageservice (SMS) message, a multimedia messaging service (MMS) message, anenhanced messaging service (EMS) message, an IP multimedia system (IMS)message, a live voice call, an automated voice call, an interactivevoice response (IVR) call, or any combination thereof. The method canfurther include triggering the access-point trigger when the second userattempts to access the service from a specified network access-point.

In various embodiments, the enforcement point trigger can include: atime trigger, a day trigger, a service type trigger, a function trigger,an expiration-of-time trigger, or any combination thereof. The methodcan further include triggering the service type trigger when the servicetype matches a specified service type. The specified service type caninclude: a retail services type, an employment services type, aninsurance services type, or any combination thereof. The method canfurther include triggering the function trigger when the service matchesa specified service. The specified service can include: a financialservice, an accounting service, a personnel service, an administrativeservice, a trade service, or any combination thereof. The method canfurther include triggering the time or date triggers when the seconduser attempts to access the service during: a specified time range, aspecified day of the week, a specified set of dates, or any combinationthereof.

In various embodiments, the policy trigger can include a fraud trigger.Executing the authentication action can include blocking the second userfrom accessing the service, and directing the second user to a sitedifferent from the enforcement point. Executing the authenticationaction can also include providing access to the service to the seconduser, and executing a supplemental action when the second user accessesthe service. The supplemental action can include a monitoring action.

In addition, the method can further include receiving, from the seconduser, a request for the service at an enforcement point. The method canfurther include determining if the second user satisfies the one or moreauthentication rules, and providing access to the service to the seconduser if the second user satisfies the one or more authentication rules.The method can further include executing a first authentication actionif the second user does not satisfy the one or more authenticationrules. The method can further include determining if the enforcementpoint includes an override, and providing access to the service to thesecond user if the enforcement point includes the override.

In some embodiments, the first authentication action can be specified bythe one or more authentication rules. The first authentication actioncan be specified by the enforcement point. Determining if the seconduser satisfies the one or more authentication rules can includedetermining a satisfaction state of the one or more authenticationrules. Executing the first authentication action can include redirectingthe second user to an authentication site separate from the enforcementpoint. The method can further include modifying a satisfaction state ofthe one or more authentication rules based on a result of the firstauthentication action.

In various embodiments, the first authentication action can include: ahard token action, a soft token action, a personal identification number(PIN) action, a password (PW) action, a knowledge action, a biometricaction, a modify-user information action, or any combination thereof.Determining if the second user satisfies the one or more authenticationrules can include processing the one or more authentication rules in anorder specified by one or more priority characteristics of the one ormore authentication rules. The one or more priority characteristics caninclude: a priority code, a priority class, a priority type, a prioritycontext, or any combination thereof.

Any of the above implementations can realize one or more of thefollowing advantages. Customized authentication for service provisioningallows flexibility in the specification, evaluation, and satisficationof authentication and navigation requirements. In addition, the aboveimplementations can provide for the ability to incrementally introducenew forms of authentication into an already operable system and theability to provide scalable, high-performance authenticationimplementations. In addition, customized authentication requirementsapplied to an individual or group of users allows a service providerflexibility when describing authentication requirements for variousgroups or classes of users. Granularity in the application to the usersallows the service provider to provide different authenticationrequirements to different groups as necessary. In addition, enablingmore than one entity to customize authentication requirements for thesame user or group of users allows different entities the ability toconstruct rules relevant to their needs independently from the needs ofother entities. In addition, enabling an entity to impose customizedauthentication requirements on a group of users specified by commoncharacteristics allows imposing entities to define authenticationrequirements that vary across their universe of users and across theresources that they offer to users.

In addition, enabling an entity to impose customized authenticationactions allows the entity to build authentication requirements using anyof the supported mechanisms and to add new mechanisms withoutinterfering with those already available in a system. In addition,enabling an entity to impose mandatory or optional authenticationrequirements on the entity's users allows the entity to create minimumstandards for authentication and allows them the ability to offer aspectrum of additional services that provide the user with a spectrum ofcost benefit choices. In addition, enabling an entity to structureauthentication requirements to segment services under differentauthentication requirements allows the flexibility and ability tocontrol user navigation based on characteristics of the user andcharacteristics of the services. In addition, authentication processingconducted locally at fulfillment processing locations allows serviceproviders to scale the service delivery system to accommodate changingor growing loads. In addition, authentication grouping, imposedindependently or jointly by different entities, improves the userexperience by sharing the satisfaction of authentication requirementsacross aggregates of related requirements. In addition, prioritizingauthentication rules based on authentication priority ensures that usersperform actions in a desired sequence relative to other actions.

In addition, enabling different fulfillment types of authenticationrules allows imposing entities to either attach actions to the normalflow of user navigation or enforce navigational restrictions. Thevariety of fulfillment options offered allows imposing entitiesflexibility in specifying the time extent of authentication requirementsand the ability to impose, quickly and easily, local actions orrestrictions on classes of users. This also can allow imposing entitiesto react and respond to changing conditions simply by introducing new orchanged authentication requirements, while not changing the servicedelivery machinery. In addition, authentication triggering allowsimposing entities extensive options for specifying when and where usersmust respond to authentication requirements. The various criteria canallow imposing entities to restrict authentication requirements to onlythose conditions to which they meaningfully apply. In addition,authentication requirements based on a source address of the user allowsan imposing entity or service provider the ability to reduce exposure toproblems by monitoring or restricting admittance based on informationmined from previous experience across the available resources or fromoutside knowledge gained from commercial protection or law enforcementagencies.

Other aspects and advantages of the present invention will becomeapparent from the following detailed description, taken in conjunctionwith the accompanying drawings, illustrating the principles of theinvention by way of example only.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing and other objects, features, and advantages of the presentinvention, as well as the invention itself, will be more fullyunderstood from the following description of various embodiments, whenread together with the accompanying drawings.

FIG. 1 is a block diagram showing an exemplary network with devicesrelating to customizable authentication for service provisioning.

FIG. 2 illustrates a flowchart depicting authentication customizationand service provisioning.

FIG. 3 illustrates exemplary relationships between rule-creatingsponsors and consumers.

FIG. 4 illustrates an exemplary authentication rule.

FIGS. 5-25 illustrate flow diagrams depicting use case examples forauthenticated service provisioning.

DETAILED DESCRIPTION

FIG. 1 is a block diagram showing an exemplary network 100 with devicesrelating to customizable authentication for service provisioning. Thenetwork 100 includes a transmission medium 110, one or more user devices120 a, 120 b, and/or 120 c, generally 120, one or more servers 130 a,130 b, and/or 130 c, generally 130, at least one authentication server140, a rules server 141, and/or one or more device managers 145 a, 145b, and/or 145 c, generally 145. The transmission medium 110 isresponsible for the transfer of information between one or more of theuser devices 120, one or more of the servers 130, the authenticationserver 140, the rules server 141, and/or one or more of the devicemanagers 145.

Information transfer over the transmission medium 110 can be based onone or more communication protocols and/or communication modes.Communication protocols can include, for example, Internet Protocol(IP), Voice over IP (VOIP), Peer-to-Peer (P2P), Hypertext TransferProtocol (HTTP), Session Initiation Protocol (SIP), Really SimpleSyndication (RSS), podcasting, Signaling System #7 (SS7), Global Systemfor Mobile Communications (GSM), Push-to-Talk (PTT), PTT over Cellular(POC), and/or other communication protocols. Communication modes canrange from textual modality (e.g., electronic mail and/or instantmessaging) to graphical modality (e.g., still and/or moving pictures) toaudio modality (e.g., voice calls), or any combination thereof.

The transmission medium 110 can include one or more packet-basednetworks and/or one or more circuit-based networks in any configuration.Packet-based networks can include, for example, the Internet, a carrierInternet Protocol (IP) network (LAN, WAN, or the like), a private IPnetwork, an IP private branch exchange (IPBX), a wireless network (e.g.,a Radio Access Network (RAN)), and/or other packet-based networks.Circuit-based networks can include, for example, the Public SwitchedTelephone Network (PSTN), a legacy private branch exchange (PBX), awireless network (e.g., a RAN), and/or other circuit-based networks.

The transmission medium 110 can be coupled to the user devices 120 byconnections 115. The user devices 120 can be computers, telephones, IPphones, mobile devices (e.g., cellular phones, personal digitalassistant (PDA) devices, laptop computers, and/or the like), and/orother communication devices. Connections 115 can include electricalwires, optical fibers, and/or wireless transmissions. User devices 120can be identified by a unique and/or shared identifier. A unique userdevice identifier can be, for example, a telephone number, an IPaddress, and/or the like. A shared user device identifier can be, forexample, a network address, an area code, a country code, and/or thelike.

The transmission medium 110 can also be coupled to one or more servers130. The servers 130 can include, for example, web servers, applicationservers, media servers, gateways, softswitches, and/or the like. Aserver 130 can be responsible for providing one or more types ofservices to a consumer using one or more of the user devices 120. Typesof services can include, for example, financial services, accountingservices, transaction services, communication services, databaseservices, administrative services, and/or other electronic services.Financial services can include banking services, investing services(e.g., stock trading), accounting services, electronic funds transferservices, insurances services, employee information services (e.g.,employee benefits), institutional services, administrative services,and/or other electronic services. Transaction services can includeshopping, selling goods, trading goods, and/or the like. Communicationservices can include voice communication (e.g., Voice over IP (VOIP)),data communication, multimedia communication (e.g., video conferencing),networking (e.g., social networking, blogging, etc.), and/or the like.Database services can include library services, research services, newsservices, and/or the like. In one configuration, for example, server 130a can be a website for a bank providing financial services associatedwith checking and savings accounts of individual consumers. In anotherconfiguration, server 130 b can be a website for a car insurance unit ofan insurance company providing insurance services associated with aninsurance policy for a group of small businesses. In yet anotherconfiguration, server 130 c can be an automated phone server for anemployer providing employee benefit services associated with theemployees of the employer.

Each server 130 a, 130 b, and 130 c can include, respectively, anauthentication monitor 160 a, 160 b, and 160 c, generally 160. Anauthentication monitor 160 can determine access to and navigation of oneor more services provided by a server 130, by the enforcement andexecution of authentication rules, discussed below. In the system 100,the authentication monitors 160 are illustrated to be included in theservers 130, but other configurations can also be used. For example, theauthentication monitors 160 can be directly or indirectly connected tothe respective servers 130.

The determination of access to and navigation of services on one or moreservers 130 can be defined and controlled by one or more authenticationrules. The authentication server 140 and/or the rules server 141 can beresponsible for determining which authentication rules are associatedwith a user and acquiring the authentication rules when a user logs inand/or requests a service as they navigate the network 100. Theauthentication server 140 can also be responsible for executing one ormore authentication rules at the time the user logs in to request aservice from a server 130, or at any other time after the user is loggedin as they navigate one or more services provided by one or more servers130. One or more authentication rules can be stored on and retrievedfrom a rules server 141 and/or one or more device managers 145. Therules server 141 can be, for example, a repository database. In anotherconfiguration, the rules server 141 can be coupled to a repository rulesdatabase. A device manager 145 can be a server, a repository database,and/or the like.

In the system 100, the rules server 141 and the device managers 145 areillustrated to be directly connected to the authentication server 140,but other configurations can also be used. For example, the rules server141 and/or one or more device managers 145 can be included in theauthentication server 140, or can be directly or indirectly accessibleby the authentication server 140 over the transmission medium 110. Inaddition, the system 100 also illustrates the authentication server 140to be directly connected to the transmission medium 110, but otherconfigurations can also be used. For example, the authentication server140 can be indirectly connected to the transmission medium 110 and/orcan be directly connected to or included in a server 130.

FIG. 2 illustrates a flowchart 200 depicting authenticationcustomization and service provisioning. The elements of the flowchart200 are described using the exemplary network 100 of FIG. 1.Customizable authentication includes defining one or more authenticationrules (210). Service provisioning includes receiving, from a user, arequest for a service (220), generating a rules credential that includesone or more authentication rules (230), determining whether one or moreauthentication rules apply (240), processing one or more applicableauthentication rules if they apply (250), determining if moreauthentication rules are applicable (260), and/or provisioning therequested service (260).

A sponsoring user can define one or more authentication rules (210) todetermine a consuming user's access to a service. A sponsoring user caninclude, for example, a client organization or company of a serviceprovider, a unit or group of the organization or company (e.g.,marketing group, research and development group, regional group, etc.),and/or one or more individual clients of a service provider. Asponsoring user can also include a service provider. A consuming usercan include, for example, one or more individual consumers of thesponsoring user. The consuming user can also be defined according tospecified user characteristics. User characteristics can includebelonging to a certain organization or company (e.g., users associatedwith a company), belonging to a group or sub-group of an organization orcompany (e.g., full-time, part-time, or contracting employees), and/orbelonging to other groups of individuals. For example, the sponsoringuser can be an employer that uses a service provider to manage employeebenefit services. In this example, a consuming user can be the group ofall full-time employees. In another example, the sponsoring andconsuming user can be the same individual. For example, the sponsoringand consuming user can be an individual consumer of an online tradingservice provider. In yet another embodiment, the consuming user can beenabled to further add, remove, and/or edit one or more of theauthentication rules defined by the sponsoring user. In anotherembodiment, the sponsor can make one or more authentication rules to beeither mandatory or optional for a consuming user.

FIG. 3 illustrates exemplary relationships between rule-creatingsponsors and consumers. Sponsoring users can include an organization 310and/or one or more individual users 320. The organization 310 includessponsoring business units 330 and 340, which, in turn, can include oneor more individual users. The sponsoring business unit 340 includessub-organization and/or client groups 341 and 342. The sponsoringentities can generate or edit authentication rules using a rules manager350. For example, the sponsoring organization 310 can customize (361) anauthentication rule for one or more users in the enterprise 310 (i.e.,any combination of users A_(i), B_(i), and/or C_(i)). The sponsoringbusiness unit 330 can customize (362) an authentication rule for one ormore users in the business unit 330 (i.e., any combination of usersA_(i)). The sponsoring business unit 340 can customize (363) anauthentication rule for one or more users in the business unit 340(i.e., any combination of users B_(i) and/or C_(i)). The sponsoringsub-organization or client 341 can customize (364) an authenticationrule for one or more users in the sub-organization or client 341 (i.e.,any combination of users B_(i)). The user C_(N) in the sub-organizationor client 342 can customize (365) an authentication rule to beapplicable to user C_(N). The individual user D_(N) can also customize(366) an authentication rule to be applicable to user D_(N). The rulesmanager 350 can generate (367) specific authentication rule instancesfor specific users (e.g., users associated with a unique useridentifier), or can generate (367) authentication rule templates for anauthentication rule associated with one or more other usercharacteristics. The generated authentication rules can be transferredto an active rules database 355.

Generally, authentication rules govern the behavior of components of thenetwork 100 with respect to a user's access and navigation of thenetwork 100. Specifically, an authentication rule can: define who therule is to be associated with (e.g., a particular consumer), when it isto apply (e.g., when a consumer attempts to access a specific server 130and/or a specific service on a server 130), what action needs to beperformed (e.g., enter a hard token value), and/or how the action can befulfilled (e.g., redirect the user to a specified universal resourcelocator (URL) message for entering a hard token value).

FIG. 4 illustrates an exemplary authentication rule 400. Theauthentication rule 400 can include authentication rule data 410, one ormore authentication rule trigger sets 420, 430, and 440, and/or one ormore authentication rule instructions 421, 431, and 441, respectivelyassociated with an authentication rule trigger. In a supplemental oralternative embodiment, one or more authentication instructions can beassociated with an authentication trigger. In a further supplemental oralternative embodiment, one or more authentication states 422, 432, and442, can be associated with or included in, respectively, one or moreauthentication rule trigger sets 420, 430, and 440.

Authentication rule data 410 can define what entity (i.e., consuminguser) the authentication rule 400 is to be associated with when thatentity requests a service and/or logs on to a system. The authenticationrule data 410 can also state one or more authentication actions thatneed to be executed if the authentication rule 400 applies.Authentication actions can include, generally, any challenge thatrequires a response from the user. Specifically, authentication actionscan include: a hard token action, a soft token action, a personalidentification number (PIN) action, a password (PW) action, a knowledgeaction, a biometric action, a modify-user information action, and/orother actions. A hard token action can be implemented, for example,using a smart card and/or a token device. A soft token action can beimplemented, for example, using an electronic certificate, an electroniccredential, an electronic cookie, and/or the like. Knowledge actions caninclude, for example, question and answer actions. Modify-userinformation actions can include requesting the user to edit their userprofile. Authentication actions can also include actions that do notrequire a response from a user. For example, a non-responsive actionscan include blocking access to a service (e.g., a NavigationRestriction-type rule), monitor a user (e.g., an Information-type rule),and/or re-directing a user to a different resource. NavigationRestriction-type authentication rules can specify an action that limitsa user's navigation across the network 100 by redirecting, for example,the user to a different site than the one requested. Information-typeauthentication rules can specify that an action is to be executedlocally at an enforcement point.

Authentication rule data 410 can also include selection criteria basedon one or more specified characteristics. Selection criteria can be usedto select which authentication rules should be retrieved to beassociated with a specific user, which can take place at the beginningof a session or during a session as the user navigates one or moreservices of the network 100. Selection criteria can includecharacteristics of a user, characteristics of a request for a service,characteristics of an enforcement point, and/or other characteristics.Characteristics of a user can include a user identification, anorganization or sub-organization identification, and/or otheridentifiers.

Characteristics of a request can include an access-channelcharacteristic, an access-point characteristic, a user devicecharacteristic, and/or the like. Access-channel characteristics caninclude, for example, accessing a service using one or more of: a webmessage, a universal resource locator (URL) message, electronic mail,text messaging, instant messaging, a session initiation protocol (SIP)message, a short message service (SMS) message, a multimedia messagingservice (MMS) message, an enhanced messaging service (EMS) message, anIP multimedia system (IMS) message, a live voice call, an automatedvoice call, an interactive voice response (IVR) call, and/or the like.

Access-point characteristics can include, for example, requestsoriginating from a specified address (e.g., IP address, telephonenumber, etc.), a specified network address (e.g., IP network addresses,area codes, country codes, etc.), and/or the like. Devicecharacteristics can include, for example, software characteristics(e.g., browser agent), hardware characteristics (e.g., brand, model,version, etc.), and/or the like. Characteristics of an enforcement pointcan include, for example, time(s) of a day, day(s) of a week, a policycharacteristic (e.g., a sponsor or owner of the service/resource), aservice type characteristic (e.g., banking), a function typecharacteristic (e.g., setting up a new account), and/or the like.

Authentication rule trigger sets 420, 430, and/or 440, can define whenthe authentication rule 400 applies at one or more enforcement points.The enforcement points (e.g., an authentication server 140 or anauthentication monitor 160) can include enforcement contexts that ifthey match up with one or more triggers in the sets 420, 430, and/or440, then the authentication rule 400 is triggered and executed. Theauthentication rule trigger sets can be inclusive, exclusive, or anycombination thereof. For example, if the authentication rule trigger set420 is inclusive, then the authentication rule 400 is triggered whensome enforcement point context matches any one of the triggers in theset 420 (i.e., boolean ‘OR’ logic). If the authentication rule triggerset 430 is exclusive, then the authentication rule 400 is triggered whenno context or user authentication value matches any one of the triggersin the set 430 (i.e., boolean “AND NOT” logic). Generally, any booleanexpression can be used with one or more triggers in one or more triggersets to activate an authentication rule. If no triggers are included inan authentication trigger set 420, 430, and/or 440, then by default, theauthentication rule 400 can be triggered everywhere.

Authentication rule trigger sets 420, 430, and/or 440 can include, forexample, one or more of: a user trigger, a request trigger, anenforcement point trigger, a policy trigger, and/or the like. A usertrigger can include a user identification, an organization orsub-organization identification, and/or other identifiers. A requesttrigger can include an access-channel trigger, and access-point trigger,a user device trigger, and/or the like. Access-channel triggers caninclude access-channel characteristics, as described above. Access-pointtriggers can include access-point characteristics, also described above.Device triggers can include device characteristics, also describedabove. Enforcement point triggers can include, for example, expirationtime(s) trigger, time(s) of a day trigger, day(s) of a week trigger, aservice type trigger, a function type trigger, and/or the like. A policytrigger can include a sponsor trigger, a resource owner trigger, and/orthe like. Triggers can also specify execution of the authentication rule400 during login process (i.e., front door processing) and/or duringsubsequent user navigation of the network 100 (i.e., deferredprocessing).

Authentication rule instructions 421, 431, and/or 441, can define howthe authentication rule 400 can be fulfilled. Authentication ruleinstructions 421, 431, and/or 441, can include one or more instructionsto be performed locally and/or remotely, and/or can include a link(e.g., a URL) to a different enforcement point in the network 100.Enforcement points can include, for example, an authentication server140, a device manager 145, and/or an authentication monitor 160. If theauthentication rule 400 does not have an authentication actionspecified, then an enforcement point can use a default action. Forexample, an authentication monitor 160 can, by default, direct a user tothe authentication server 140 in cases where an authentication rulespecifies no actions. In a supplemental or alternative embodiment,enforcement points can execute a default action even if theauthentication rule 400 specifies an action.

Authentication rule states 422, 432, and/or 442, can be used in theselection and acquisition of the associated authentication rule triggers(420, 430, and 440) and rule actions (421, 431, and 441). For example,if the authentication rule 400 is in state ‘S1’, then only rule triggers422 and 423, and associated rule actions 421 and 431 will be selectedfor retrieval. Authentication rule states 422, 432, and 442, can bestored in the rules server 141 and/or one or more device managers 145.Authentication rule states 422, 432, and 442, can also be associatedwith specific users, in which case a rule instance including the statecan also be stored on the rules server 141. Persistent-typeauthentication rules, which are those rules whose state can remainunchanged across sessions, can be represented by the authenticationstates 422, 432, and/or 442, of an authentication rule 400. In someembodiments, the authentication rule 400 can transition from one stateto the another state when, for example, the authentication rule 400 issatisfied and/or an expiration period elapses. In some configurations,authentication states can be associated with either persistent-based orsession-based authentication rules. State-transitioning allows forlifecycle management of the authentication rule 400 in a workflow.

Tables I-III below illustrate examples of different authenticationrules. The elements of the Tables I and II are described using theexemplary authentication rule 400 of FIG. 4.

TABLE I Token Rule Rule Data 410 RuleName: RetailToken User:RetailConsumers Owner: Retail OwnerType: Realm Class: Session State 422Rule Trigger 420 Rule Action 421 S0 <empty> <empty> S1 LoginMethod=U/PWReminder URL S2 LoginMethod=U/PW Token URL S2 Realm=Retail Token URL S3<empty> <empty>Table I illustrates an example of a Token authentication rule sponsoredby the Retail realm. The rule is acquired for all Retail consumers foreach independent session. This rule specifies four states: S0—Token inInventory, S1—Token Sent to User, S2—Token Activated, and S3—TokenDiscarded. The Token action includes two states (S0 and S3) that do notrequire actions at an enforcement point. The state of the rule changesfrom S0 to S1 when a user enrolls for a token. In state S1, theauthentication rule requires an enforcement point to display areminder-to-active message to the user whenever the user logs in usingusername and password. The state changes from S1 to S2 when a useractivates a token. In state S2, the authentication rule requires anenforcement point to query the user for a passcode whenever the userlogs in using username and password (e.g., at authentication server 140)or whenever the user visits a Retail resource (e.g., a server 130associated with Retail). The state changes from S2 to S3 when a userun-subscribes.

TABLE II Fraud Rule Rule Data 410 Rule Name: FraudIPBlock Owner:StockTrader OwnerType: Realm Class: NavRestrict Source: IP ={10.24.189.*, 189.1.1.10–189.1.2.21} Rule Trigger 420 Rule Action 421<empty> CallRepMessageURLTable II illustrates an example of a Fraud authentication rule sponsoredby the StockTrader realm. The rule is acquired for all requests thathave a source IP address in a specified range (where ‘*’ indicates awildcard and can include all hosts from 0-255). This rule does notinclude any rule triggers, so by default all enforcement points willre-direct the user to a CallRep site indicating, for example, that theiraccount is under a Fraud watch and what options they have to correct thematter.

TABLE III User-Customizable Token Rule Rule Data 410 RuleName:CustomRetailToken User: RetailConsumers Owner: Retail OwnerType: RealmClass: Session State 422 Rule Trigger 420 Rule Action 421 S0 <empty><empty> S1 LoginMethod=U/PW Reminder URL S2 LoginMethod=U/PW RSATokenURL S2 Realm=Retail RSAToken URL S3 LoginMethod=U/PW VerToken URL S3Realm=Retail VerToken URL S4 <empty> <empty>Table III illustrates an example of a user-customizable Tokenauthentication rule sponsored by the Retail realm. The rule is identicalto the rule illustrated in Table I, except that in this scenario, Retailhas given the customer an option of what kind of token to use: an RSAToken or a Verisign Token. When the user is in state SI, the reminderaction can ask the user what type of Token they have, after which thestate is changed to either state S2 or S3 depending upon the response.

Returning to the flowchart 200 illustrated in FIG. 2, serviceprovisioning can include receiving, from a user, a request for a service(220), optionally generating a rules credential that includes one ormore authentication rules (230), determining whether one or moreauthentication rules apply (240), processing one or more applicableauthentication rules if they apply (250), determining if moreauthentication rules are applicable (260), and/or provisioning therequested service (260).

Receiving a request for a service (220) can include any request forinformation exchange with one or more servers 130, the authenticationserver 140, one or more device managers 145, and/or one or moreauthentication monitors 160. The request for service can be the initiallogin request to the authentication server 140. The request for servicecan also take place after the initial login process, in which case therequest can include a rules credential, discussed below.

Generating a rules credential that includes one or more authenticationrules (230) can include generating a new rules credential (e.g., atinitial login) and/or updating and re-generating the rules credentialincluded in the request. A rules credential can include one or moreauthentication rules associated with a user based on selection criteriadescribed in the authentication rule data section of an authenticationrule (e.g., unique user identifiers and/or other characteristics). Therules server 141 can retrieve one or more authentication rulesassociated with the user. In a supplemental or alternative embodiment, arules credential can include a compressed form of one or moreauthentication rules. For example, the compressed form can leave out oneor more authentication actions in which case the enforcement point thatevaluates the authentication rule will need to perform a default action.

In a supplemental or alternative embodiment, an authentication ruleand/or a rules credential can also include the satisfaction state of anauthentication rule. For example, for a session-based tokenauthentication rule, a user can be required to enter in a token valueonce for each session. Initially, the generated rules credential willmark the token rule as unsatisfied. However, once the user correctlyenters the appropriate token value, the token authentication rule can bemarked as satisfied. Enforcement points will allow access to theirservices when they see that an authentication rule is satisfied, asdescribed below. An authentication rule and/or a rules credential canalso include a grouping identifier in relation to the satisfaction stateof an authentication rule. For example, if a user is associated withmore than one authentication rule that defines the same action andinclude the same group identifier, then when the user satisfies oneauthentication rule both authentication rules can be marked satisfied.

Table IV illustrates a satisfaction group example, in which threeauthentication rules have been defined including the same action(Token). The first authentication rule (for Retail resources) and thesecond authentication rule (for Institutional resources) are assigned toa common satisfaction group (‘0’). The third authentication rule (forpersonal transactions) is assigned to a separate group (‘1’). If theuser satisfies either of the first or second authentication rules thenthe enforcement point can mark both satisfied in the rules credentialfor the user. The third authentication rule will remain unsatisfieduntil an enforcement point determines that its trigger set applies.

TABLE IV Satisfaction Group Example Action Group TriggerSet InstructionsToken 0 realm=Retail tokenURL Token 0 realm=Instit tokenURL Token 1trans=personal tokenURL

A rules credential can be transferred to the requesting user (e.g., as aweb cookie) such that the authentication rules are portable and cantravel with the user. In such a scenario, a user can navigate fromresource to resource on the network 100 without having to interact witha central authentication server for every request for a service. Forexample, the authentication server 140 can initially process anauthentication rule included in a rules credential that applies duringthe login process. If a rule does not apply at login time, it can remainin the rules credential for later use by one or more authenticationmonitors 160. As the user navigates resources around the network 100,the authentication monitors 160 defending the resources in respectiveservers 130 can evaluate the authentication rules included in the rulescredential and determine if they apply. When an authentication monitor160 determines that an authentication rule applies, the authenticationmonitor 160 can execute the authentication rule.

A rules credential can also specify a processing order that one or moreauthentication rules should be processed. The order that one or moreauthentication rules are processed can be based on a priority codeincluded in an authentication rule's data, the owner or sponsor of theauthentication rule (e.g., provider/realm/client/user), the name of anaction included in the authentication rule, or it can be based on one ormore other elements of an authentication rule. For example, the rulescredential can be generated such that all persistent-based rules areprocessed before all session-based rules. Rule priority can be anarbitrary value assigned by the creator of the authentication rules toorder the authentication rule relative to other authentication rules.

An enforcement point can determine whether one or more authenticationrules apply (240) based on information in one or more authenticationrule triggers in an authentication rule and on information stored in thecontext of the enforcement point, as described above. If anauthentication rule is applicable, the authentication rule is processedbased on one or more authentication instructions specified by theauthentication rule (250). After the authentication rule is processed,the rules credential can be re-acquired (230) to update any state changeassociated with the user. If un-processed authentication rules are leftin the rules credential (260), the enforcement point performs elements(240) and (250). If no applicable authentication rules remain (260),then the requested service can be provisioned to the user (270).

USE CASE EXAMPLES

FIGS. 5-25 illustrate flow diagrams depicting use case examples forauthenticated service provisioning. The elements of the flow diagrams inFIGS. 5-25 are described using the exemplary network 100 of FIG. 1. Inthese examples, each resource is illustrated to reside on a separateserver (e.g., one of servers 130 a-c). However, one or more resourcescan also reside on the same server and the use case examples can equallybe applied as such.

Use Case 1: Initial Rule Acquisition

FIG. 5 illustrates a flow diagram depicting initial authentication ruleacquisition. A consumer using a user device 120 logs in to theauthentication server 140. The initial request can include a useridentification (e.g., username or userid), a password, and/orauthentication context data. Authentication context data can includedata characterizing: the authentication method, the access-channel, theaccess-location, the access-device, and/or the user role (e.g.,customer, admin, etc.). The authentication server 140 forwards the useridentification and authentication context data to the rules server 141to retrieve the authentication rules associated with the consumer and/orthe context. The rules server 141 can access a local or remote rulesrepository database to find the relevant authentication rules. The rulesserver 141 can generate a rules credential that includes theauthentication rules. If more than one authentication rule was acquired,the rules server 141 can order the authentication rules in the rulescredential based on, for example, a priority code, a type, a group code,and/or an action name of the authentication rules. The rules server 141returns the rules credential to the authentication server 140. Eitherthe rules server 141 and/or the authentication server 140 can performfurther processing on the rules credential (e.g., compression or ruleordering). The authentication server 140 returns the rules credential tothe user 120.

Use Case 2: Rule Update Acquisition

FIG. 6 illustrates a flow diagram depicting reacquiring a rulescredential, which can include generating a new rules credential orupdating an existing rules credential. The user 120 provides a rulescredential and/or a rule satisfaction credential to the rules server141. The rule satisfaction credential can be generated by anothercomponent in the network 100 to indicate that one or more authenticationrules in the rules credential have been satisfied or not. The request tothe rules server 141 can also include authentication context data asdescribed above. The rules server 141 can access a local or remote rulesrepository database to find the relevant authentication rules. The rulesserver 141 generates a new rules credential or updates the existingrules credential to include the authentication rules. The satisfactionstate of the authentication rules in the new rules credential are setbased on the rule satisfaction credential received from the user as wellas the current satisfaction state in the previous rules credential. Forexample, a user that successfully entered a token passcode will receivea rule satisfaction credential that the rules server 141 will use tomark the token authentication rule as satisfied. The rules server 141can also update the state of a device (e.g., a hard token as: enrolled,activated, or discarded) in the respective device manager 145. The rulesserver 141 returns the rules credential to the authentication server140.

Use Case 3S: Session-Type Rule Fulfillment

FIG. 7 illustrates a flow diagram depicting the fulfillment of asession-type authentication rule. A user 120 can be redirected by aresource to a rule fulfillment server 130 a to enter, for example, atoken passcode. The request includes a rules credential that, in turn,includes the authentication rule that is to be fulfilled. Theauthentication monitor 160 a evaluates the authentication rules includedin the rules credential and determines that an authentication ruleapplies (i.e., is triggered) and is not satisfied. However, since therule fulfillment server 130 a is the fulfillment point for theauthentication rule, the authentication monitor 160 a includes aspecific override for the authentication rule and allows the user 120 toaccess the rule fulfillment server 130 a. The rule fulfillment server130 a challenges the user 120 as indicated by the authentication rule(e.g., requesting a token passcode to be entered). The user 120 returnsa response to the challenge. The authentication monitor 160 a performsthe same evaluation as described above and allows access to the rulefulfillment server 130 a. The rule fulfillment server 130 a evaluatesthe response and conveys the satisfaction state via a rule satisfactioncredential (e.g., if the token passcode was correct then the rulesatisfaction credential indicates the rule was satisfied). The rulefulfillment server 130 a transmits the rule satisfaction credential tothe user 120, who can then update their rules credential as illustratedin Case 2.

Use Case 3P: Persistent-Type Rule Fulfillment

FIG. 8 illustrates a flow diagram depicting the fulfillment of apersistent-type authentication rule. User Case 3P is identical to UseCase 3S except that after the rule fulfillment server 130 a determinesthat an authentication rule has been satisfied, the rule fulfillmentserver 130 a also sends a message to the rules server 141 indicatingthat the authentication rule has been satisfied. In other embodiments,the rule fulfillment server 130 a can send a message to a device manager145 a indicating that the authentication rule has been satisfied (e.g.,a device manager responsible for hard tokens can store state dataindicating whether a hard token is activated or not).

Use Case 4: Rules Credential Includes One Authentication Rule

FIG. 9 illustrates a flow diagram depicting the provisioning of aservice when the rules credentials includes one authentication rule. Theuser 120 acquires the rules credential as illustrated in Case 1. Theuser 120 requests the service from resource server 130 b. The requestincludes the rules credential. The resource authentication monitor 160 bdetermines that the authentication rule included in the rules credentialapplies and is not satisfied. The resource authentication monitor 160 bcan also determine if any local override action exists. The default ruleaction redirects the user 120 to a fulfillment server URL. The user 120fulfills the authentication rule as illustrated in Cases 3S or 3Pdepending on whether the rule is session-based or persistent-based. Theuser 120 a returns to the authentication monitor 160 b, which determinesthat the authentication rule applies and is satisfied. Theauthentication monitor 160 b admits the request for service to theresource server 130 b to provision the service.

Use Case 5: Sponsor Mandates a Non-Fulfilling Logging Rule for a User

FIG. 10 illustrates a flow diagram depicting a local non-fulfillinglogging authentication rule. A sponsoring enterprise (e.g., a serviceprovider) determines, for example, that a particular user 120 (e.g.,JohnQAdams) may engage in fraudulent activity. The sponsor creates anauthentication rule that requires every enforcement point to logadditional information while processing the request. The authenticationrule remains unsatisfied after fulfillment and requires the enforcementpoint 160 b defending a protected resource 130 b to log additional dataabout the request. Table V below illustrates the rule and enforcementcontexts and the authentication rule associated with Case 5.

TABLE V Use Case 5 RuleAcquisitionContext  UserID: JohnQAdams AuthMethod: RetailCust  AuthBusUnit: Retail  Channel   Type: Web  Source: 198.32.62.1   Agent: IE5.0.2019.7   UserRole: CustomerEnforcementContext  AuthMethod: RetailCust  AuthBusUnit: Retail  Owner:Retail  UserRole: Customer  Time: 9 am  Day: Wednesday  Expiration: None Channel: Web  ServiceType: PersonalData  LocalOverride(s): None RuleActionPresence: None Rule Set (in eval order)  Rule 1: LoggingRules Definition: Logging:  TriggerSets(inclusive)   Channel: N/A  UserRole: N/A   BusUnit: N/A   Time: N/A   Day: N/A   Interval: N/A  AuthMethod: N/A   ServiceType: N/A RuleActionName: FraudLog RuleType:Info GroupCode: 0 PriorityCode: 0 Satisfaction: NotSatisDefaultFulAction: FraudLog OptionalOverride: None

Use Case 6: Sponsor Mandates a Non-Fulfilling Redirection Rule for aUser

FIG. 1 illustrates a flow diagram depicting a non-fulfilling redirectionauthentication rule. A sponsoring enterprise (e.g., a service provider)determines, for example, that a particular user 120 (e.g., JohnQAdams)may engage in fraudulent activity. The sponsor creates an authenticationrule that is enforced at all enforcement points (e.g., 160 b) to defenda protected service by redirecting the user 120 to a different location160 c. The authentication rule remains unsatisfied after fulfillment.The policy of the enforcement point defending the second enforcementpoint 160 c (EP2) overrides the default action and permits the requestto enter. Table VI below illustrates the rule and enforcement contextsand the authentication rule associated with Case 6.

TABLE VI Use Case 6 RuleAcquisitionContext  UserID: JohnQAdams AuthMethod: RetailCust  AuthBusUnit: Retail  Channel   Type: Web  Source: 127.0.0.1   Agent: IE6.0.2019.7   UserRole: CustomerEnforcementContext: EP1  AuthMethod: RetailCust  AuthBusUnit: Retail Owner: Wholesale  UserRole: Customer  Time: 9 am  Day: Wednesday Expiration: None  Channel: Web  ServiceType: PersonalData LocalOverride(s): None  RuleActionPresence: None EnforcementContext:EP2  AuthMethod: RetailCust  AuthBusUnit: Retail  Owner: Wholesale UserRole: Customer  Time: 9:01 am  Day: Wednesday  Expiration: None Channel: Web  ServiceType: PersonalData  LocalOverride:    RestrictSite:     admit if unsat RuleAction: RestrictSite Rule Set(in eval order)  Rule 1: Redirection Rules Definition: Redirection: TriggerSets(inclusive)   Channel: N/A   UserRole: N/A   BusUnit: N/A  Time: N/A   Day: N/A   Interval: N/A   AuthMethod: N/A   ServiceType:N/A RuleActionName: Restrict RuleType: NavRestrict GroupCode: 0PriorityCode: 0 Satisfaction: NotSatis DefaultFulAction: RedirectFulfillmentLoc: AltURL OptionalOverride: None

Use Case 7: Sponsor Mandates a Global Hard Token Rule

FIG. 12 illustrates a flow diagram depicting service provisioning usinga global hard token rule. A sponsor creates a mandatory hard tokenauthentication rule for all users of the sponsor, including user 120.The authentication rule applies when any user accesses any service(e.g., retail account summary at server 130 a). The user 120 mustsatisfy the authentication rule once in a session. If the authenticationrule is not satisfied, the authentication rule requires the user 120 toprovide a hard token generated one-time PIN when the user visits theprotected resource 130 a. If the user 120 correctly inputs theappropriate passcode at token server 130 b, then the user's rulescredential can be updated, as illustrated in Case 2, to mark the hardtoken rule satisfied. The user 120 can then access the requested serviceat server 130 a. Table VII below illustrates the rule and enforcementcontexts and the authentication rule associated with Case 7.

TABLE VII Use Case 7 RuleAcquisitionContext  UserID: JohnQAdams AuthMethod: RetailCust  AuthBusUnit: Retail  Channel   Type: Web  Source: 127.0.0.1   Agent: IE6.0.2019.7   UserRole: CustomerEnforcementContext  AuthMethod: RetailCust  AuthBusUnit: Retail  Owner:Wholesale  UserRole: Customer  Time: 9 am  Day: Wednesday  Expiration:None  Channel: Web  ServiceType: PersonalData  LocalOverride(s): None RuleActionPresence: None Rule Set (in eval order)  Rule 1: HardTokenRules Definition: HardToken:  TriggerSets(inclusive)   Channel: N/A  UserRole: N/A   BusUnit: N/A   Time: N/A   Day: N/A   Interval: N/A  AuthMethod: N/A   ServiceType: N/A RuleActionName: HTokenAct RuleType:Session GroupCode: 0 PriorityCode: 1 Satisfaction: NotSatisDefaultFulAction: Redirect FulfillmentLoc: HTokenURL OptionalOverride:None

Use Case 8: Sponsor Offers Users Option to Use a Global Hard Token Rule

FIG. 13 illustrates a flow diagram depicting service provisioning usingan optional global hard token rule. A sponsor creates an optional hardtoken authentication rule for all users that enroll with the sponsor,including user 120, who has activated their hard token. Theauthentication rule applies when any user accesses any service (e.g.,Employee Services Company (ESCo) Enrollment Server 130 a). The user 120must satisfy the authentication rule once in a session. If theauthentication rule is not satisfied, the authentication rule requiresthe user 120 to fulfill the authentication rule at hard token server 130b. The hard token authentication monitor 160 b determines that the ruleapplies and is not satisfied. However, the hard token authenticationmonitor 160 b includes an override in this case and provides access tothe hard token server 130 b, which challenges the user 120 to provide ahard token generated one-time PIN. If the user 120 correctly inputs theappropriate passcode at token server 130 b, then the user's rulescredential can be updated, as illustrated in Case 2, to mark the hardtoken rule satisfied. The user 120 can then access the requestedenrollment service at Employee Services Company server 130 a. Table VIIIbelow illustrates the rule and enforcement contexts and theauthentication rule associated with Case 8.

TABLE VIII Use Case 8 RuleAcquisitionContext  UserID: JohnQAdams AuthMethod: NBCust  AuthBusUnit: ESCo  Channel   Type: Web   Source:127.0.0.1   Agent: IE6.0.2019.7   UserRole: Customer EnforcementContext AuthMethod: NBCust  AuthBusUnit: ESCo  Owner: ESCo  UserRole: Customer Time: 9 am  Day: Wednesday  Expiration: None  Channel: Web ServiceType: PersonalData  LocalOverride(s): None  RuleActionPresence:None Rule Set (in eval order)  Rule 1: HardToken Rules Definition:HardToken:  TriggerSets(inclusive)   Channel: N/A   UserRole: N/A  BusUnit: N/A   Time: N/A   Day: N/A   Interval: N/A   AuthMethod: N/A  ServiceType: N/A RuleActionName: HTokenAct RuleType: SessionGroupCode: 0 PriorityCode: 1 Satisfaction: NotSatis DefaultFulAction:Redirect FulfillmentLoc: HTokenURL OptionalOverride: None

Use Case 9: Sponsor Mandates a User-Configurable Global Hard Token Rule

FIG. 14 illustrates a flow diagram depicting service provisioning usingan user-configurable global hard token rule. A sponsor can create one ormore hard token authentication rules to be used with different hardtoken vendors (e.g., RSA, Verisign, etc.). The sponsor can allow usersenrolled for hard tokens to select what type of hard token to use. User120 has selected hard token A and has activated their hard token suchthat the payload instruction in the authentication rule directs the userto hard token A server 130 b. In this case, the authentication rule ismandated by the sponsor, however the sponsor can also make the ruleoptional to the user 120. Table IX below illustrates the rule andenforcement contexts and the authentication rule associated with Case 9.

TABLE IX Use Case 9 RuleAcquisitionContext  UserID: JohnQAdams AuthMethod: RetailCust  AuthBusUnit: Retail  Channel   Type: Web  Source: 127.0.0.1   Agent: IE6.0.2019.7   UserRole: CustomerEnforcementContext  AuthMethod: RetailCust  AuthBusUnit: Retail  Owner:Retail  UserRole: Customer  Time: 9 am  Day: Wednesday  Expiration: None Channel: Web  ServiceType: PersonalData  LocalOverride(s): None RuleActionPresence: None Rule Set (in eval order)  Rule 1: HardTokenARules Definition: HardTokenA:  TriggerSets(inclusive)   Channel: N/A  UserRole: N/A   BusUnit: N/A   Time: N/A   Day: N/A   Interval: N/A  AuthMethod: N/A   ServiceType: N/A RuleActionName: HTokenAActRuleType: Session GroupCode: 0 PriorityCode: 1 Satisfaction: NotSatisDefaultFulAction: Redirect FulfillmentLoc: HTokA URL OptionalOverride:None

Use Case 10a: Sponsor Group Mandates a Hard Token Rule

FIG. 15 illustrates a flow diagram depicting service provisioning usinga group mandated hard token rule. A group of a sponsor (e.g., a clientcompany of an employee services company) creates a mandatory hard tokenrule for all employees, including user 120 a, of the client company. Theauthentication rule applies whenever the users enter via the group'sunit authentication method or when the users visit a protected resourceof the group. The user 120 a must satisfy the authentication rule onlyonce in an authentication session. The group of the sponsor, or thesponsor, provides a list of the employees and the sponsor can createthis authentication rule for each of the employees. Table X belowillustrates the rule and enforcement contexts and the authenticationrule associated with Case 10.

TABLE X Use Case 10 RuleAcquisitionContext  UserID: JohnQAdams AuthMethod: NBPart  AuthBusUnit: ESCo  Channel   Type: Web   Source:127.0.0.1   Agent: IE6.0.2019.7   UserRole: Customer EnforcementContext AuthMethod: NBPart  AuthBusUnit: ESCo  Owner: ESCo  UserRole: Customer Time: 9 am  Day: Wednesday  Expiration: None  Channel: Web ServiceType: PersonalData  LocalOverride(s): None  RuleActionPresence:None Rule Set (in eval order)  Rule 1: HardToken Rules Definition:HardToken:  TriggerSets(inclusive)   Channel: N/A   UserRole: N/A  BusUnit: ESCo   Time: N/A   Day: N/A   Interval: N/A   AuthMethod: N/A  ServiceType: N/A RuleActionName: HTokenAct RuleType: SessionGroupCode: 0 PriorityCode: 1 Satisfaction: NotSatis DefaultFulAction:Redirect FulfillmentLoc: HTokenURL OptionalOverride: None

Use Case 10b: Sponsor Group Mandates a Hard Token Rule

FIG. 16 illustrates a flow diagram depicting service provisioning usingthe group mandated hard token rule of Use Case 10a. However, the user120 b is not an employee of the Employee Services Company (ESCo). Inthis case, the rules credential does not include the authentication rulefrom Use Case 10a. Therefore, the ESCo Account authentication monitor160 a allows the user 120 to access the ESCo Account server 130 a.

Use Case 11: Sponsor Group Offers an Optional Hard Token Rule

FIG. 17 illustrates a flow diagram depicting service provisioning usinga group-sponsored optional hard token rule. A group of a sponsor (e.g.,a client company of an employee services company) creates an optionalhard token rule for all employees, including users 120 a and 120 b, ofthe client company. User 120 a is enrolled in the hard token, andservice provisioning follows the flow diagram illustrated in Case 8.User 120 b, while an employee in a group that is a plan sponsor inEmployee Services Company (ESCo), is not enrolled in the hard token.Therefore, the rules credential for user 120 b does not include the hardtoken authentication rule and the ESCo Account authentication monitor160 a allows the user 120 b to access the ESCo server 130 a. Likewise,for a user 120 c that is not a member of a group sponsor in ESCo, theirrules credential will not include a hard token authentication rule.Table XI below illustrates the rule and enforcement contexts and theauthentication rule associated with Case 11.

TABLE XI Use Case 11 RuleAcquisitionContext  UserID: JohnQAdams AuthMethod: NBPart  AuthBusUnit: ESCo  Channel   Type: Web   Source:127.0.0.1   Agent: IE6.0.2019.7   UserRole: Customer EnforcementContext AuthMethod: NBPart  AuthBusUnit: ESCo  Owner: ESCo  UserRole: Customer Time: 9 am  Day: Wednesday  Expiration: None  Channel: Web ServiceType: PersonalData  LocalOverride(s): None  RuleActionPresence:None Rule Set (in eval order)  Rule 1: HardToken Rules Definition:HardToken:  TriggerSets(inclusive)   Channel: N/A   UserRole: N/A  BusUnit: ESCo   Time: N/A   Day: N/A   Interval: N/A   AuthMethod: N/A  ServiceType: N/A RuleActionName: HTokenAct RuleType: SessionGroupCode: 0 PriorityCode: 1 Satisfaction: NotSatis DefaultFulAction:Redirect FulfillmentLoc: HTokenURL OptionalOverride: None

Use Case 12: User has Multiple Rule Types

FIGS. 18A-B illustrate a flow diagram depicting service provisioningwhen a user has three authentication rules: logging, hard token, andforced ACI. The rules are ordered in the rules credential such that thelogging rule is evaluated first at each enforcement point, followed byevaluation of the hard token rule, and then evaluation of the forced ACIrule. The user 120 requests an account summary service from ESCo Accountserver 130 a. The ESCo authentication monitor 160 a determines that thelogging rule applies and logs information about the session. Next, theESCo authentication monitor 160 a determines that a hard token ruleapplies and is not satisfied. The user 120 is redirected to fulfill thehard token authentication rule. The hard token authentication monitor160 b also determines that the logging rule applies and logs informationon the session. Next, the hard token authentication monitor 160 bdetermines that the hard token authentication rule applies and is notsatisfied. However, since the hard token authentication monitor 160 bprotects the server 130 b that is associated with fulfillment of thehard token authentication rule, an override exists that allows the user120 to access the hard token server 130 b.

As illustrated in FIG. 18B, the user 120 returns to the ESCoauthentication monitor 160 a, which still determines that the loggingrule applies and logs information about the session. The ESCoauthentication monitor 160 a now, however, determines that the hardtoken rule is satisfied and evaluates the next authentication rule inthe rules credential. The forced ACI authentication rule is a persistentrule that forces the user 120 to change their ID if their current ID isset to be their social security number (SSN). The user 120 is redirectedto change their ID (i.e., fulfill the forced ACI authentication rule).The SSN ID authentication monitor 160 c determines that the logging ruleapplies and logs information on the session, and that the hard tokenrule applies but is satisfied. Next, the SSN ID authentication monitor160 c determines that the forced ACI authentication rule applies, is notsatisfied, but that an override exists for the rule to allow access tothe the SSN ID server 130 c. The user 120 is challenged to change theirID and the forced ACI rule is satisfied if the ID is not the user 120'sSSN. The user 120 is subsequently allowed to access their accountsummary at server 130 a. Table XII below illustrates the rule andenforcement contexts and the authentication rule associated with Case12.

TABLE XII Use Case 12 RuleAcquisitionContext  UserID: GeneralUser AuthMethod: NBPlanAdmin  AuthBusUnit: ESCo  Channel   Type: Any  Source: 127.0.0.1   Agent: IE6.0.2019.7   UserRole: AdminEnforcementContext  AuthMethod: NBPlanAdmin  AuthBusUnit: ESCo  Owner:ESCo  UserRole: Admin  Time: 11 am  Day: Thursday  Expiration: None Channel: Any  ServiceType: Any  LocalOverride(s): None RuleActionPresence: None Rule Set (in eval order)  Rule 1: Logging Rule 2: HardToken  Rule 3: ForcedACI Rules Definition: Logging: (seeTable XIX) HardToken: (see Table XI) ForcedACI: (see Table XV)

Use Case 13: User has Multiple Rule Types Triggering in DifferentBusiness Units

FIGS. 19A-B illustrates a flow diagram depicting service provisioningwhen a user has multiple rule types triggering in different businessunits. For various reasons, a user that is both a normal customer andalso an employee of a client organization can have acquired a set ofrules that comprise: a non-fulfilling logging rule (due to suspiciousbrowser characteristics that triggers in Retail and ESCo), a hard tokenrule (due to customer opt-in that triggers only in Retail), and anon-SSN ID (forced ACI) rule (due to client organization mandate thattriggers only in ESCo). FIGS. 19A-B illustrate how the rules aretriggered and enforced for Use Case 13 as the user 120 navigates thenetwork 100. Table XIII below illustrates the rule and enforcementcontexts and the authentication rule associated with Case 13.

TABLE XIII Use Case 13 RuleAcquisitionContext  UserID: GeneralUser AuthMethod: RetailCust  AuthBusUnit: Retail  Channel   Type: Any  Source: 127.0.0.1   Agent: IE6.0.2019.7   UserRole: CustomerEnforcementContext: EP1  AuthMethod: RetailCust  AuthBusUnit: Retail Owner: Retail  UserRole: Customer  Time: 11 am  Day: Thursday Expiration: None  Channel: Any  ServiceType: Any  LocalOverride(s):None  RuleActionPresence: None Rule Set (in eval order)  Rule 1: Logging Rule 2: HardToken  Rule 3: ForcedACI Rules Definition: Logging: (seeTable XIX) HardToken: (see Table XI) ForcedACI: (see Table XV)EnforcementContext: EP2  AuthMethod: RetailCust  AuthBusUnit: Retail Owner: ESCo  UserRole: Customer  Time: 11:05 am  Day: Thursday Expiration: None  Channel: Any  ServiceType: Any  LocalOverride(s):None  RuleActionPresence: None

Use Case 14: Hard Token User is Challenged, Navigates Away toNon-Protected Site

FIG. 20 illustrates a flow diagram depicting service provisioning when auser is challenged for a hard token and navigates away to anon-protected site. A client organization of an enterprise business unit(e.g. a client of ESCo Services) requires their employees to use a hardtoken to enter the Enterprise Business Unit. When such a user attemptsto visit any protected resource of the Business Unit, and the rule isnot satisfied, the rule challenges the user to provide a hard tokengenerated one-time PIN. In this example, the user 120 declines to entera token value and navigates away to another Enterprise Business Unit atwhich they have a relationship and at which the hard token rule does notapply. They are allowed entry to the other Enterprise Business Unit.FIG. 20 illustrates how the rules are triggered and enforced for UseCase 14 as the user 120 navigates the network 100. Table XIV belowillustrates the rule and enforcement contexts and the authenticationrule associated with Case 14.

TABLE XIV Use Case 14 RuleAcquisitionContext  UserID: JohnQAdams AuthMethod: RetailCust  AuthBusUnit: Retail  Channel   Type: Web  Source: 127.0.0.1   Agent: IE6.0.2019.7   UserRole: CustomerEnforcementContext: EP1  AuthMethod: RetailCust  AuthBusUnit: Retail Owner: ESCo  UserRole: Customer  Time: 9 am  Day: Wednesday Expiration: None  Channel: Web  ServiceType: PersonalData LocalOverride(s): None  RuleActionPresence: None EnforcementContext:EP3  AuthMethod: RetailCust  AuthBusUnit: Retail  Owner: ESCo  UserRole:Customer  Time: 9m  Day: Wednesday  Expiration: None  Channel: Web ServiceType: Challenge  LocalOverride(s): Allow  RuleActionPresence:None Rule Set (in eval order)  Rule 1: HardToken Rules Definition:HardToken: (see Table XI) EnforcementContext: EP2  AuthMethod:RetailCust  AuthBusUnit: Retail  Owner: Retail  UserRole: Customer Time: 9:10 am  Day: Wednesday  Expiration: None  Channel: Web ServiceType: Financial  LocalOverride(s): None  RuleActionPresence:None

Use Case 15: Enterprise Creates Non-Fulfilling Logging Rule for SuspectPhone Number

FIG. 21 illustrates a flow diagram depicting service provisioning when alogging rule applies to a suspect phone number. An enterprise determinesthat users entering their system using the phone number 999 555 1212 maybe fraudulent. Rule acquisition processing creates and imposes anon-fulfilling rule on any user using this phone number. The rulerequires every enforcement point to log additional information aboutusers that have this rule. FIG. 21 illustrates how the rules aretriggered and enforced for Use Case 15 as the user 120 navigates thenetwork 100. Table XV below illustrates the rule and enforcementcontexts and the authentication rule associated with Case 15.

TABLE XV Use Case 15 RuleAcquisitionContext  UserID: JohnQAdams AuthMethod: PhoneCust  AuthBusUnit: Retail  Channel   Type: Phone  Source: 999 555 1212   Agent: PhoneCo   UserRole: CustomerEnforcementContext  AuthMethod: PhoneCust  AuthBusUnit: Retail  Owner:Retail  UserRole: Customer  Time: 9 am  Day: Wednesday  Expiration: None Channel: Phone  ServiceType: Financial  LocalOverride(s): None RuleActionPresence: None Rule Set (in eval order)  Rule 1: LoggingRules Definition: Logging:  TriggerSets(inclusive)   Channel: Phone  UserRole: N/A   BusUnit: N/A   Time: N/A   Day: N/A   Interval: N/A  AuthMethod: N/A   ServiceType: N/A RuleActionName: FraudLog RuleType:Informational GroupCode: 0 PriorityCode: 1 Satisfaction: NotSatisDefaultFulAction: FraudAct FulfillmentLoc: Local OptionalOverride: None

Use Case 16: Entity Mandates that Their Users Create a Non-SSN ID

FIG. 22 illustrates a flow diagram depicting service provisioning usinga forced ACI authentication rule. An entity (e.g., a client organizationof an enterprise business unit) requires that its employees not usetheir social security number as their user ID for login. This forced ACIauthentication rule applies to all users of the entity. When such a userattempts to login and the rule is not satisfied (i.e., the user's ID istheir SSN), then the authentication rule requires the user to changetheir user ID to another non-SSN ID. Once the user changes their ID, therule is always marked as fulfilled. Note, that if the user logs in via adifferent authentication method (offered by a different business unit),the rule will not be triggered and the user will not see the rulebehavior. FIG. 22 illustrates how the rules are triggered and enforcedfor Use Case 16 as the user 120 navigates the network 100. Table XVIbelow illustrates the rule and enforcement contexts and theauthentication rule associated with Case 16.

TABLE XVI Use Case 16 RuleAcquisitionContext  UserID: 000-00-0000 AuthMethod: NBPart  AuthBusUnit: ESCo  Channel   Type: Any   Source:127.0.0.1   Agent: IE6.0.2019.7   UserRole: Customer EnforcementContext AuthMethod: NBPart  AuthBusUnit: ESCo  Owner: ESCo  UserRole: Customer Time: 9 am  Day: Wednesday  Expiration: None  Channel: Any ServiceType: PersonalData  LocalOverride(s): None  RuleActionPresence:None Rule Set (in eval order)  Rule 1: ForcedACI Rules Definition:ForcedACI:  TriggerSets (inclusive)   Channel: N/A   UserRole: N/A  BusUnit: ESCo   Time: N/A   Day: N/A   Interval: N/A   AuthMethod:NBPart   ServiceType: N/A RuleActionName: ForcedACI RuleType: PersistentGroupCode: 0 PriorityCode: 2 Satisfaction: NotSatis DefaultFulAction:Redirect FulfillmentLoc: IDChangeURL OptionalOverride: None

Use Case 17: User has Multiple Hard Token Rules Grouped

An entity (e.g., Retail) can require its users to use Hard Token A toaccess their resources. Another entity (e.g., ESCo) can require itsusers to use Hard Token B to access their resources. The satisfaction ofeither rule satisfies both rules (i.e., the rules are grouped). A userwho is a Retail user and an ESCo user will acquire both rules. If theuser first enters the Retail Business Unit, they will be challenged toenter the value from Hard Token A. If they then enter the ESCo BusinessUnit, they will not be challenged to enter a Hard Token B value.Conversely, if the user first enters ESCo, they will be challenged toenter a Hard Token B value. If they subsequently enter the RetailBusiness Unit, they will not be challenged to enter a Hard Token Avalue. Table XVII below illustrates the rule and enforcement contextsand the authentication rule associated with Case 17.

TABLE XVII Use Case 17 RuleAcquisitionContext  UserID: GeneralUser AuthMethod: RetailCust  AuthBusUnit: Retail  Channel   Type: Any  Source: 127.0.0.1   Agent: IE6.0.2019.7   UserRole: CustomerEnforcementContext  AuthMethod: RetailCust  AuthBusUnit: Retail  Owner:Retail  UserRole: Customer  Time: 9 am  Day: Wednesday  Expiration: None Channel: Web  ServiceType: PersonalData  LocalOverride(s): None RuleActionPresence: None Rule Set (in eval order)  Rule 1: HardToken A Rule 2: HardToken B Rules Definition: HardTokenA: TriggerSets(inclusive)   BusUnit: Retail RuleActionName: HTokenActRuleType: Session GroupCode: 1 PriorityCode: 1 Satisfaction: NotSatisDefaultFulAction: Redirect FulfillmentLoc: HTokenAURL OptionalOverride:None HardTokenB:  TriggerSets (inclusive)   BusUnit: ESCoRuleActionName: HTokenAct RuleType: Session GroupCode: 1 PriorityCode: 1Satisfaction: NotSatis DefaultFulAction: Redirect FulfillmentLoc:HTokenBURL OptionalOverride: None

Use Case 18: Entity Mandates a Non-Fulfilling Redirection Rule for aUser

FIG. 23 illustrates a flow diagram depicting service provisioning usinga redirect authentication rule. An entity can impose a non-fulfillingredirection rule on all users entering via the web from a specified IPaddress. When a user enters from the specified IP address, the ruleacquisition process recognizes the address and associates theredirection rule with the user. The authentication rule, which remainsunsatisfied after fulfillment, requires the enforcement point defendinga protected resource to redirect the user to a different location. Thepolicy of the enforcement point defending the second location overridesthe default action and permits the request to enter. This use case canbe used for redirecting a suspect user from a main site resource to amore heavily instrumented monitoring site. FIG. 23 illustrates how therules are triggered and enforced for Use Case 18 as the user 120navigates the network 100. Table XVIII below illustrates the rule andenforcement contexts and the authentication rule associated with Case18.

TABLE XVIII Use Case 18 RuleAcquisitionContext  UserID: JohnQAdams AuthMethod: RetailCust  AuthBusUnit: Retail  Channel   Type: Web  Source: 127.0.0.1   Agent: IE6.0.2019.7   UserRole: CustomerEnforcementContext: EP1  AuthMethod: RetailCust  AuthBusUnit: Retail Owner: Wholesale  UserRole: Customer  Time: 9 am  Day: Wednesday Expiration: None  Channel: Web  ServiceType: PersonalData LocalOverride(s): None  RuleActionPresence: None Rule Set (in evalorder)  Rule 1: Redirection Rules Definition: Redirection: TriggerSets(inclusive)   Channel: Web RuleActionName: RstrctAltSitRuleType: NavRestrict GroupCode: 0 PriorityCode: 0 Satisfaction:NotSatis DefaultFulAction: Redirect FulfillmentLoc: AltSiteURLOptionalOverride: None EnforcementContext: EP2  AuthMethod: RetailCust AuthBusUnit: Retail  Owner: Wholesale  UserRole: Customer  Time: 9:01am  Day: Wednesday  Expiration: None  Channel: Web  ServiceType:Financial  LocalOverride(s):  RstrctAltSit-Admit/unsat. RuleActionPresence:      RstrctAltSit

Use Case 19: Entity Mandates a Non-Fulfilling Logging Rule for a User

FIG. 24 illustrates a flow diagram depicting service provisioning usinga logging authentication rule. An entity can impose a mandatorynon-fulfilling authentication rule that requires enforcement points tolog additional information when a user visits while using a browser of aparticular type. When a user uses such a browser, the rule acquisitionprocess detects this situation and associates the logging authenticationrule with the user. The default rule action is to locally log additionaluser information. FIG. 24 illustrates how the rules are triggered andenforced for Use Case 19 as the user 120 navigates the network 100.Table XVIII below illustrates the rule and enforcement contexts and theauthentication rule associated with Case 19.

TABLE XIX Use Case 19 RuleAcquisitionContext  UserID: JohnQAdams AuthMethod: RetailCust  AuthBusUnit: Retail  Channel   Type: Web  Source: 127.0.0.1   Agent: IE6.0.2019.7   UserRole: CustomerEnforcementContext  AuthMethod: RetailCust  AuthBusUnit: Retail  Owner:Wholesale  UserRole: Customer  Day: Wednesday  Channel: Web ServiceType: PersonalData  LocalOverride(s): None  RuleActionPresence:None Rule Set (in eval order)  Rule 1: Logging Rules Definition:Logging:  TriggerSets(inclusive)   Channel: Web   UserRole: N/A  BusUnit: Retail, ESCo   Time/Day: N/A RuleActionName: FraudLogRuleType: Informational GroupCode: 0 PriorityCode: 0 Satisfaction:NotSatis DefaultFulAction: Log FulfillmentLoc: Local OptionalOverride:None

Use Case 20: Entity Restricts Admin Access to Specific Source IPAddresses.

An entity (e.g., BigCo at ESCo Services) can impose a non-fulfillingredirection authentication rule on all administrative users entering theEnterprise Business Unit via the web. The authentication rule can beapplied to any client or organization administration user that isentering from an IP address other than one of those specified as validby the entity. When such a user enters from an IP address not providedby the entity, the rule acquisition process recognizes this conditionand associates the redirection rule with the user. The authenticationrule requires the enforcement point defending a protected Business Unitresource to redirect the user to a second location. For example, thesecond location can inform the user that access is prohibited. Table XXbelow illustrates the rule and enforcement contexts and theauthentication rule associated with Case 20.

TABLE XX Use Case 20 RuleAcquisitionContext  UserID: JohnQAdams AuthMethod: NBPsw  AuthBusUnit: ESCo  Channel   Type: Web   Source:127.0.0.1   Agent: IE6.0.2019.7   UserRole: Admin EnforcementContext EP1 AuthMethod: NBPsw  AuthBusUnit: ESCo  Owner: ESCo  UserRole: Admin Channel: Web  ServiceType: PersonalData  LocalOverride(s): None RuleActionPresence: None EnforcementContext EP1  AuthMethod: NBPsw AuthBusUnit: ESCo  Owner: ESCo  UserRole: Admin  Channel: Web ServiceType: PersonalData  LocalOverride(s):    non-approved  IPAddress: allow  RuleActionPresence: None Rule Set (in eval order)  Rule1: Redirection Rules Definition: Redirection:  TriggerSets(inclusive)  Channel: Web   UserRole: Admin   BusUnit: ESCo   Time/Day: N/ARuleActionName:     RestrictToAltSite RuleType: NavRestrict GroupCode: 0PriorityCode: 0 Satisfaction: NotSatis DefaultFulAction: RedirectFulfillmentLoc: AltSiteURL OptionalOverride: None

Use Case 21: High Net Worth Customer Forbids Web Access to Writable Data

FIG. 25 illustrates a flow diagram depicting service provisioning usinga high net worth customer defined authentication rule. A high net user(e.g., user “X”) can create a non-update authentication rule thatforbids access to resources that allow the user to change data via anyweb channel. This authentication rule can redirect the user to anaccess-blocked message and remain unfulfilled. FIG. 25 illustrates howthe rules are triggered and enforced for Use Case 21 as the user 120navigates the network 100. Table XXI below illustrates the rule andenforcement contexts and the authentication rule associated with Case21.

TABLE XXI Use Case 21 RuleAcquisitionContext  UserID: X  AuthMethod:NBPart  AuthBusUnit: ESCo  Channel   Type: Web   Source: 127.0.0.1  Agent: IE6.0.2019.7   UserRole: Admin EnforcementContext Common AuthMethod: RetailCust  AuthBusUnit: Retail  Owner: Retail  UserRole:Customer  Day: Wednesday  ExpirationTime: None  Channel: Web LocalOverride(s): None  RuleActionPresence: None at EP1  Time: 9 am ResourceType: Readable at EP2  Time: 9:01 am  ResourceType: Writable atEP3  Time: 9:02 am  ResourceType: Readable Rule Set (in eval order) Rule 1: NonUpdate Rules Definition: NonUpdate:  TriggerSets(inclusive)  Channel: Web   UserRole: N/A   BusUnit: N/A   Time: N/A   Day: N/A  ResourceType: Writable RuleActionName: Redirect RuleType: NavRestrictGroupCode: 0 PriorityCode: 4 Satisfaction: NotSatis DefaultFulAction:Redirect FulfillmentLoc: BlockURL OptionalOverride: None

Use Case 22: Entity Mandates a Hard Token Time Rule

An entity can impose a hard token time rule on all users that requiresthe user to enter a hard token value if the user attempts to make atrade while the stock market is open. The authentication rule requiresthe enforcement point defending a protected resource to redirect theuser to a hard token fulfillment location if the current time is whilethe stock market is open and the rule is not satisfied. The policy ofthe enforcement point defending the fulfillment location overrides thedefault action and permits the request to enter. During after markethours, for example, the user is not required to enter a hard token sincethe trade will be executed at the next market open period. Table XXIIbelow illustrates the rule and enforcement contexts and theauthentication rule associated with Case 22.

TABLE XXII Use Case 22 RuleAcquisitionContext  UserID: JohnQAdams AuthMethod: RetailCust  AuthBusUnit: Retail  Channel   Type: Web  Source: 127.0.0.1   Agent: IE6.0.2019.7   UserRole: AdminEnforcementContext Common  AuthMethod: RetailCust  AuthBusUnit: Retail Owner: Retail  UserRole: Customer  Day: Wednesday  ExpirationTime: None Channel: Web  ResourceType: EquityTrade  LocalOverride(s): None RuleActionPresence: None Rule Set (in eval order)  Rule 1: HTokenTimeRules Definition: HTokenTime:  TriggerSets(inclusive)   Channel: Web  UserRole: Customer   BusUnit: N/A   Time: 9–4:30   Day: M, Tu, W, Th,F   Interval: N/A   ResourceType:     EquityTrade RuleActionName:HTokenTime RuleType: Session GroupCode: 0 PriorityCode: 1 Satisfaction:NotSatis DefaultFulAction: Redirect FulfillmentLoc: HTokenURLOptionalOverride: None

The above-described techniques can be implemented in digital electroniccircuitry, or in computer hardware, firmware, software, or incombinations of them. The implementation can be as a computer programproduct, i.e., a computer program tangibly embodied in an informationcarrier, e.g., in a machine-readable storage device or in a propagatedsignal, for execution by, or to control the operation of, dataprocessing apparatus, e.g., a programmable processor, a computer, ormultiple computers. A computer program can be written in any form ofprogramming language, including compiled or interpreted languages, andthe computer program can be deployed in any form, including as astand-alone program or as a subroutine, element, or other unit suitablefor use in a computing environment. A computer program can be deployedto be executed on one computer or on multiple computers at one site.

Method steps can be performed by one or more programmable processorsexecuting a computer program to perform functions of the invention byoperating on input data and generating output. Method steps can also beperformed by, and an apparatus can be implemented as, special purposelogic circuitry, e.g., an FPGA (field programmable gate array) or anASIC (application-specific integrated circuit). Subroutines can refer toportions of the computer program and/or the processor/special circuitrythat implements that functionality.

Processors suitable for the execution of a computer program include, byway of example, both general and special purpose microprocessors, andany one or more processors of any kind of digital computer. Generally, aprocessor receives instructions and data from a read-only memory or arandom access memory or both. The essential elements of a computer are aprocessor for executing instructions and one or more memory devices forstoring instructions and data. Generally, a computer also includes, orbe operatively coupled to receive data from or transfer data to, orboth, one or more mass storage devices for storing data, e.g., magnetic,magneto-optical disks, or optical disks. Data transmission andinstructions can also occur over a communications network. Informationcarriers suitable for embodying computer program instructions and datainclude all forms of non-volatile memory, including by way of examplesemiconductor memory devices, e.g., EPROM, EEPROM, and flash memorydevices; magnetic disks, e.g., internal hard disks or removable disks;magneto-optical disks; and CD, DVD, and HD-DVD disks. The processor andthe memory can be supplemented by, or incorporated in special purposelogic circuitry.

To provide for interaction with a user, the above described techniquescan be implemented on a computer having a display device, e.g., a CRT(cathode ray tube) or LCD (liquid crystal display) monitor, fordisplaying information to the user and a keyboard and a pointing device,e.g., a mouse or a trackball, by which the user can provide input to thecomputer (e.g., interact with a user interface element). Other kinds ofdevices can be used to provide for interaction with a user as well; forexample, feedback provided to the user can be any form of sensoryfeedback, e.g., visual feedback, auditory feedback, or tactile feedback;and input from the user can be received in any form, including acoustic,speech, or tactile input.

The above described techniques can be implemented in a distributedcomputing system that includes a back-end component, e.g., as a dataserver, and/or a middleware component, e.g., an application server,and/or a front-end component, e.g., a client computer having a graphicaluser interface and/or a Web browser through which a user can interactwith an example implementation, or any combination of such back-end,middleware, or front-end components.

The computing system can include clients and servers. A client and aserver are generally remote from each other and typically interactthrough a communication network. The relationship of client and serverarises by virtue of computer programs running on the respectivecomputers and having a client-server relationship to each other.

One skilled in the art will realize the invention may be embodied inother specific forms without departing from the spirit or essentialcharacteristics thereof. The foregoing embodiments are therefore to beconsidered in all respects illustrative rather than limiting of theinvention described herein. Scope of the invention is thus indicated bythe appended claims, rather than by the foregoing description, and allchanges that come within the meaning and range of equivalency of theclaims are therefore intended to be embraced therein.

1. A computerized method for providing authentication for serviceprovisioning, the method comprising: providing one or more executableauthentication rules for determining access by a user to one or moreservices; selecting at least a first executable authentication rule fromthe one or more executable authentication rules, the first executableauthentication rule for determining access by the user to at least afirst service from the one or more services, wherein selecting the firstexecutable authentication rule is based on: a characteristic of theuser, a characteristic of a request, a characteristic of an acquisitionpoint, or any combination thereof; and generating a rules credential,the rules credential including the first executable authentication rule.2. The method of claim 1, wherein the rules credential includes thefirst executable authentication rule in a compressed form.
 3. The methodof claim 1, wherein the characteristic of the user comprises anidentification credential of the user, an identification credential of agroup of users including the user, or any combination thereof.
 4. Themethod of claim 3, wherein the group of users comprises: one or moreemployees of an organization, one or more customers of the organization,or any combination thereof.
 5. The method of claim 1, wherein thecharacteristic of the request comprises: an access-channelcharacteristic, an access-point characteristic, a device characteristic,or any combination thereof.
 6. The method of claim 5 further comprisingselecting the first executable authentication rule based on theaccess-channel characteristic when the user sends the request in: a webmessage, a universal resource locator (URL) message, electronic mail,text messaging, instant messaging, a session initiation protocol (SIP)message, a short message service (SMS) message, a multimedia messagingservice (MMS) message, an enhanced messaging service (EMS) message, anIP multimedia system (IMS) message, a live voice call, an automatedvoice call, an interactive voice response (IVR) call, or any combinationthereof.
 7. The method of claim 5 further comprising selecting the firstexecutable authentication rule based on the access-point characteristicwhen the request originates from a specified network access-point, thespecified network access-point comprising: an IP address, a network IPaddress, a telephone number, an area code, a country code, or anycombination thereof.
 8. The method of claim 5 further comprisingselecting the first executable authentication rule based on the devicecharacteristic when the request originates from a specified device, thespecified device characterized by a software characteristic or ahardware characteristic.
 9. The method of claim 1, wherein thecharacteristic of the acquisition point comprises: a timecharacteristic, a policy characteristic, a service type characteristic,a function type characteristic, or any combination thereof.
 10. Themethod of claim 9 further comprising selecting the first executableauthentication rule based on the time characteristic when the request isreceived during: a specified time range, a specified day of the week, aspecified set of dates, or any combination thereof.
 11. The method ofclaim 9 further comprising selecting the first executable authenticationrule based on the service type characteristic when the first service isassociated with: a retail services type, an employment services type, aninsurance services type, or any combination thereof.
 12. The method ofclaim 9 further comprising selecting the first executable authenticationrule based on the function type characteristic when the first service isassociated with: a financial service, an accounting service, a personnelservice, an administrative service, a trade service, or any combinationthereof.
 13. The method of claim 1, wherein the rules credential isgenerated at an acquisition point.
 14. The method of claim 1 furthercomprising: receiving, from the user, a request for the first service atan enforcement point; and determining, at the enforcement point, if thefirst executable authentication rule applies to the user, whereindetermining if the first executable authentication rule appliescomprises determining if one or more triggers specified by the firstexecutable authentication rule are triggered.
 15. The method of claim14, wherein the one or more triggers comprise: a user trigger, a requesttrigger, an enforcement point trigger, a policy trigger, or anycombination thereof.
 16. The method of claim 15, wherein the usertrigger comprises an identification credential of the user, anidentification credential of a group of users including the user, or anycombination thereof.
 17. The method of claim 15, wherein the requesttrigger comprises: an access-channel trigger, an access-point trigger, adevice trigger, or any combination thereof.
 18. The method of claim 15,wherein the enforcement point trigger comprises: a time trigger, aservice type trigger, a function trigger, an expiration-of-time trigger,or any combination thereof.
 19. The method of claim 1 furthercomprising: receiving, from the user, a request for the first service atan enforcement point; determining if the user satisfies the firstexecutable authentication rule; providing access by the user to thefirst service if the user satisfies the first executable authenticationrule; and executing an authentication action if the user does notsatisfy the first executable authentication rule.
 20. The method ofclaim 19, wherein determining if the user satisfies the first executableauthentication rule comprises determining a satisfaction state of thefirst executable authentication rule.
 21. The method of claim 19,wherein the authentication action comprises: a hard token action, a softtoken action, a personal identification number (PIN) action, a password(PW) action, a knowledge action, a biometric action, a modify-userinformation action, or any combination thereof.
 22. The method of claim19, wherein executing the authentication action comprises directing theuser to a site different from the enforcement point.
 23. The method ofclaim 19, wherein executing the authentication action comprises:providing access by the user to the first service; and executing asupplemental action when the user accesses the first service.
 24. Themethod of claim 19, wherein the authentication action is specified by atleast one of: the first executable authentication rule or theenforcement point.
 25. The method of claim 19 further comprisingmodifying a satisfaction state of the first executable authenticationrule based on a result of the authentication action.
 26. The method ofclaim 1 further comprising: determining if the user satisfies the firstexecutable authentication rule; and providing access by the user to thefirst service if the user does not satisfy the first executableauthentication rule.
 27. The method of claim 26, wherein the firstservice comprises an authentication service for satisfying the firstexecutable authentication rule.
 28. The method of claim 26, wherein therules credential includes at least a second executable authenticationrule from the one or more executable authentication rules.
 29. Themethod of claim 28 further comprising bypassing processing of the secondexecutable authentication rule if the user does not satisfy the firstexecutable authentication rule.
 30. The method of claim 1, wherein theone or more executable authentication rules comprise: a mandatoryconfigurable rule, an optional configurable rule, a mandatorynon-configurable rule, an optional non-configurable rule, or anycombination thereof.
 31. The method of claim 1, wherein the one or moreservices comprise: a financial service, an accounting service, apersonnel service, an administrative service, a trade service, or anycombination thereof.
 32. The method of claim 1, wherein a type of theone or more services comprise: a retail service type, an employmentservice type, an insurance services type, or any combination thereof.33. A computer program product, tangibly embodied in an informationcarrier, the computer program product including instructions beingoperable to cause a data processing apparatus to: provide one or moreexecutable authentication rules for determining access by a user to oneor more services; select at least a first executable authentication rulefrom the one or more executable authentication rules, the firstexecutable authentication rule for determining access by the user to atleast a first service from the one or more services, wherein selectingthe first executable authentication rule is based on: a characteristicof the user, a characteristic of a request, a characteristic of anacquisition point, or any combination thereof; and generate a rulescredential, the rules credential including the first executableauthentication rule.
 34. A system for providing authentication forservice provisioning, the system comprising an authentication systemadapted to: provide one or more executable authentication rules fordetermining access by a user to one or more services; select at least afirst executable authentication rule from the one or more executableauthentication rules, the first executable authentication rule fordetermining access by the user to at least a first service from the oneor more services, wherein selecting the first executable authenticationrule is based on: a characteristic of the user, a characteristic of arequest, a characteristic of an acquisition point, or any combinationthereof; and generate a rules credential, the rules credential includingthe first executable authentication rule.